Fix CVE-2018-6544:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6544
https://bugs.ghostscript.com/show_bug.cgi?id=698830
https://bugs.ghostscript.com/show_bug.cgi?id=698965 

Patches copied from upstream source repository:

https://git.ghostscript.com/?p=mupdf.git;h=26527eef77b3e51c2258c8e40845bfbc015e405d
https://git.ghostscript.com/?p=mupdf.git;h=b03def134988da8c800adac1a38a41a1f09a1d89

From b03def134988da8c800adac1a38a41a1f09a1d89 Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Thu, 1 Feb 2018 16:36:14 +0100
Subject: [PATCH] Bug 698830: Avoid recursion when loading object streams
 objects.

If there were indirect references in the object stream dictionary and
one of those indirect references referred to an object inside the object
stream itself, mupdf would previously enter recursion only bounded by the
exception stack. After this commit the object stream is checked if it is
marked immediately after being loaded. If it is marked then we terminate
the recursion at this point, if it is not marked then mark it and
attempt to load the desired object within. We also take care to unmark
the stream object when done or upon exception.
---
 source/pdf/pdf-xref.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
index 723b543c..ed09094c 100644
--- a/source/pdf/pdf-xref.c
+++ b/source/pdf/pdf-xref.c
@@ -1576,6 +1576,19 @@ pdf_load_obj_stm(fz_context *ctx, pdf_document *doc, int num, pdf_lexbuf *buf, i
 	{
 		objstm = pdf_load_object(ctx, doc, num);
 
+		if (pdf_obj_marked(ctx, objstm))
+			fz_throw(ctx, FZ_ERROR_GENERIC, "recursive object stream lookup");
+	}
+	fz_catch(ctx)
+	{
+		pdf_drop_obj(ctx, objstm);
+		fz_rethrow(ctx);
+	}
+
+	fz_try(ctx)
+	{
+		pdf_mark_obj(ctx, objstm);
+
 		count = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_N));
 		first = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_First));
 
@@ -1655,6 +1668,7 @@ pdf_load_obj_stm(fz_context *ctx, pdf_document *doc, int num, pdf_lexbuf *buf, i
 		fz_drop_stream(ctx, stm);
 		fz_free(ctx, ofsbuf);
 		fz_free(ctx, numbuf);
+		pdf_unmark_obj(ctx, objstm);
 		pdf_drop_obj(ctx, objstm);
 	}
 	fz_catch(ctx)
-- 
2.16.3

From 26527eef77b3e51c2258c8e40845bfbc015e405d Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Mon, 29 Jan 2018 02:00:48 +0100
Subject: [PATCH] Bug 698830: Don't drop unkept stream if running out of error
 stack.

Under normal conditions where fz_keep_stream() is called inside
fz_try() we may call fz_drop_stream() in fz_catch() upon exceptions.
The issue comes when fz_keep_stream() has not yet been called but is
dropped in fz_catch(). This happens in the PDF from the bug when
fz_try() runs out of exception stack, and next the code in fz_catch()
runs, dropping the caller's reference to the filter chain stream!

The simplest way of fixing this it to always keep the filter chain
stream before fz_try() is called. That way fz_catch() may drop the
stream whether an exception has occurred or if the fz_try() ran out of
exception stack.
---
 source/pdf/pdf-stream.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/source/pdf/pdf-stream.c b/source/pdf/pdf-stream.c
index c89da5c4..c6ba7ad3 100644
--- a/source/pdf/pdf-stream.c
+++ b/source/pdf/pdf-stream.c
@@ -303,14 +303,13 @@ pdf_open_raw_filter(fz_context *ctx, fz_stream *chain, pdf_document *doc, pdf_ob
 		*orig_gen = 0;
 	}
 
-	fz_var(chain);
+	chain = fz_keep_stream(ctx, chain);
 
 	fz_try(ctx)
 	{
 		len = pdf_to_int(ctx, pdf_dict_get(ctx, stmobj, PDF_NAME_Length));
 
-		/* don't close chain when we close this filter */
-		chain2 = fz_keep_stream(ctx, chain);
+		chain2 = chain;
 		chain = NULL;
 		chain = fz_open_null(ctx, chain2, len, offset);
 
-- 
2.16.3

